Facebook Shares Its Groundbreaking Android Security Tool With World

Photo: Jim Merithew/Wired

When you install an app on your phone, you don’t always install it on the phone itself. You often store new apps and new data on the tiny SD cards that slide in and out of your phone, letting you add more storage space as needed.

And that can be a problem.

Typically, an app that has permission to read and write data from an SD card has the power to read all data on the card — including information written by other apps. This means that if you install a malicious application by mistake, it can easily tap into a wide range of sensitive data inside your phone.

The good news is that engineers at Facebook have developed a way of protecting the company’s rather popular Android apps when they’re stored on SD cards, and they’re now sharing this security tool with the world at large, letting other software developers protect their apps in similar ways. That bodes well not only for developers, but for you, the person who will ultimately use these apps on phones.

It bodes well not only for developers, but for you, the person who will ultimately use these apps on phones

This comes as more and more large tech companies are sharing important parts of their engineering know-how with other developers and companies across the globe. Together with Twitter and, in some ways, Google, Facebook is leading this trend. Companies like this were built on open source software, and in feeding new tools back to the open source community, these tech giants believe they will not only return the favor, but drive still more innovation that will ultimately feed back into their online opera.

Facebook calls its Android security tool Conceal, and in short, it’s a programming code library for safely encrypting and decrypting data stored on SD cards. The company is already using the tool with the primary Facebook app that runs on Android. According to Facebook software engineer Subodh Iyengar, the company started building the tool about six months ago, but it only recently decided to open source it. “We had conversations with other developers who were interested,” he tells WIRED.

The tool is based on algorithms from OpenSSL, a common open source encryption system for the web, but it’s designed specifically for mobile phones running Android — including low-end phones. The whole library takes up only about 85KB of space. “Unlike other libraries, which provide a wide range of encryption algorithms and options, Conceal prefers to abstract this choice and include sensible defaults,” Iyengar wrote in a blog post introducing the project. “We think this makes sense because encryption can be very tricky to get right.”

There’s a certain irony in Facebook releasing software to help developers protect user data from other applications. Just last week, it was revealed that the new version of the company’s Android app asks for permission to read text messages on your phone. Facebook explained that this lets it handle two factor authentication more easily, but some have suggested the move may provide the company with an unneccesary level of access to personal information. That may make some privacy advocates think twice about using open source code from Facebook to build security features into apps.

But the beauty of open source software is that the whole world can see how the code works, and determine whether it’s legit or not. Facebook has a long history of open sourcing code that has go on to significantly change the way both software and hardware is built. This includes everything from small software tools like Conceal to massive data analysis software, computer server designs, and even data center blueprints.